Privacy: Be afraid, be very afraid. But don’t be afraid of Twitter.

Few topics are covered so poorly as online privacy, few are handled with such indifference toward reader interest or facts. Take, for example, last week’s big scary Twitter hack. Twitter realized a significant number of accounts were compromised by a new attack. So it reset passwords. No one has reported any identity theft, fraud, or damage. Twitter issued a blog post to make sure those affected would get online and change their passwords. Somehow, this snowballed into a major privacy story.

While I was delivering some talking-head sound-bites on this item for a certain newscast, the reporter asked me why the Twitter hack was such a huge deal. I was stumped–it wasn’t. So she asked me why it was getting so much attention. I knew the answer, but held my tongue.

Here’s what I was thinking: it gets so much attention because print and TV news love to bash technology, especially social media, and can’t resist a scary story about how the people who use it should be very, very afraid. The truth is, despite years of fear-mongering stories about Facebook identity theft, Gmail phishing attacks and massive Twitter hacks, public interest and concern about these things remains very low. That’s because these things haven’t happened to the vast majority of us, or to anyone we know. For the small number of people this has happened to, the impact is typically minimal. The mainstream news has become the Boy who Cried Internet.

This is not to say privacy isn’t a valid concern when it comes to free Internet services. There’s much to worry about, but little of it has to do with Russian digital mobsters, Chinese military hackers or spammy Nigerian princes. The real data privacy danger–with social media, and beyond–comes from government.

Consider this: federal Privacy Commissioner Jennifer Stoddart’s office received just 18 complaints from the public about (alleged) Internet privacy violations in 2011. In 2010, the number was 19. In Stoddart’s 2011 ranking of privacy-challenged industries, the Internet came in at seventh place, way behind the financial industry, transportation, and telecommunications, which took the top three spots, in that order. Even the hotel industry was worse than the Internet, earning 24 complaints, though you won’t hear much about the privacy dangers of Holiday Inn on the news. But here’s the truly shocking thing: add up all of the public’s privacy gripes with private companies in 2011, and you get 281 formal complaints to the Office of the Privacy Commissioner.

Now look at the most recent OPC annual report on alleged government intrusions into our privacy: the number is 986. And that’s an almost 40 per cent jump over the previous year’s number of government-related complaints. As I’ll detail in the next post, these complaints aren’t trivial: the breaches are serious, with real implications, and they stem from a culture of privacy sloppiness (at best). So yes, you should be scared about your privacy. But it’s not Twitter you should be scared of.

It’s Ottawa.

Over the next few posts I’ll be telling you what, if anything, is being done about it. Then we’ll look ahead at the real privacy threats Canadians should be thinking about. (Hint: C-30, the defeated Internet Snooping bill just rumbled from its coffin and stuck a zombie finger through the dirt.)

Next: Civil servants with your data in their pants: Why it’s still OK to bring a USB key home in Ottawa.

Advertisement

Post navigation

Privacy: Be afraid, be very afraid. But don’t be afraid of Twitter.

The small number of complaints has a great deal to do with the fact
that people are not aware of the scope and scale of monitoring. Many
people are content to put their reliance in the lack of technical
capacity to exploit existing databases. The markets are betting in
billions on the prospect that this information will become packaged, and
companies with the highest willingness to pay will have the greatest
capacity to use the information. I don’t think people even think about why their patterns of debits, phone calls and internet activity are of such interest.

I don’t think there’s anything inherently wrong with this. What makes me
concerned is the public indifference. We’re unwarily consenting to
conditions which are not feasible to withdraw and whose implications are
not even contemplated.

Re: your next article, I think everyone with half a brain and even the tiniest amount of technical knowledge thought exactly the same thing: why would putting personal data on a USB key EVER be allowed? Or put better: ever be POSSIBLE? It should be idiot proof.

Physical media should be in secure places so they can’t be lifted by just anyone passing by, and sensitive data should never be on computers that are connected to external networks (either directly or indirectly). Hacking is generally only a problem when people can access your network off-site. Making someone have to actually be physically present where the data is to get at it gives you a hell of a lot more protection and control than having someone be able to do it from home, or a café, or wherever.

These are basic, basic things that would solve most of the problems we read about. I’m sure that people who are more tech-savvy than I am can think up even better solutions, but this is not complicated. I guess we’ll just need to wait until we have people who grew up with computers running the country. The fact that people with the technical knowledge of my family members who ask me for tech support all the time are in charge of securing our information is scary.

Right. And you might have less break-ins if you installed 4 different locks on each door of your house and kept the keys in separate pockets/wallets/purses, and changed them all every 3 months. But most people are weighing the likelihood their house will be broken into (2011 Canadian stats imply around 0.6%, and that probably disproportionately affects poorer people in bad neighbourhoods) versus the convenience of being able to go home after work, open one lock and get inside your house.

Sure, your data would be more secure if it was on a network that wasn’t connected to external networks. But that would pretty much kill off most of the activities the majority of people use the internet for, to avoid the relatively remote possibility of being hacked. Most people would prefer the convenience.

My guess on the GoC breach is some security rule(s) were in the way of moving data from one system to another which prevented a worker from performing their job efficiently. So they used sneekernet to complete their task in a timely fashion…just a guess

Governments have the best security and least convenience making complex rules of compliance or rocket science in order to perform seemingly simple daily tasks. I’m only guessing the drive is akin to a postit note with a password…

But when something goes walking from a government office, whether intentionally or accidentally, there’s the potential for the personal information of thousands or even millions of people to go missing.

And we’re not just talking about names here, some offices have pretty much everything there is on you that’s of value for someone to steal – SIN numbers, bank account numbers, etc., plus all the more usual stuff – addresses, phone numbers, etc. In short, it’s everything someone needs to steal your identity all in one neat package.

Job efficiency is a poor excuse for exposing the personal info of thousands of millions of Canadians. If protecting our information means things are a bit slower, then so be it.

But I’d wager that a competent manager could get things working in a manner that is both efficient and secure.

Notice: Your email may not yet have been verified. Please check your email, click the link to verify your address, and then submit your comment. If you can't find this email, access your profile editor to re-send the confirmation email. You must have a verified email to submit a comment. Once you have done so, check again.

Sign In / Sign Up

With your existing account from

With an email account

Commenters who signed up before June 26th, 2014 will have to reregister on our new, social-friendly login system. The good news? The process should only take a few minutes, and you're welcome to use the same email address.

Almost Done!

Please confirm the information below before signing up.

{* #socialRegistrationForm *}
{* socialRegistration_firstName *}
{* socialRegistration_lastName *}
{* socialRegistration_emailAddress *}
{* socialRegistration_displayName *}
By clicking "Create Account", I confirm that I have read and understood each of the website terms of service and privacy policy and that I agree to be bound by them.